Re: BGP MD5 logs

Very true, especially with the "S" train.

Kambiz Agahian

CCIE Instructor/Consultant
M.Eng Telecom, CCIE# 25341, CCSI# 33326, MCSE, MCSA

On Tue, Aug 24, 2010 at 10:55 AM, Narbik Kocharians <narbikk_at_gmail.com>wrote:

> Guys i have seen authentication fail even when the passwords are configured
> correctly between two or more routers connected to the same Multiaccess
> segment. What i have done in the past to fix the problem is to remove the
> authentication and reapply it. You see more authentication errors when you
> configure peer-groups or Templates. I have seen these on 12.4T and even
> earlier codes.
>
> On Tue, Aug 24, 2010 at 8:20 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> wrote:
>
> > Hi,
> >
> > If all the above suggestions do not work, then is there an ASA firewall
> or
> > IPS device inline between the 2 pairs?
> >
> > By default, the ASA firewall will clear the TCP options that carry this
> > authentication information - therefore one neighbor will always complain
> of
> > no authentication from the other neighbor. Below is a link with a good
> > configuration example on how to resolve this.
> >
> >
> >
> http://www.packetslave.com/2009/07/12/bgp-through-an-asa-with-authentication/
> >
> > By default, IIRC the IPS has a signature also that clear the TCP options
> > just the same way the ASA does. For this, either remove option 19 from
> the
> > signature in question, diable the signature all together to take enable
> > your
> > authentication information to be carried across.
> >
> > Hope thats somewhat helpful.
> >
> > Sadiq
> >
> > On Tue, Aug 24, 2010 at 5:35 AM, Bryan <deadheadblues_at_gmail.com> wrote:
> >
> > > Masroor,
> > >
> > > Notice the packet is an RST. This happens on the old TCP connection
> > > when the BGP peer comes up on a new TCP connection with
> > > authentication.
> > >
> > > Do "show tcp brief" to see a list of TCP connections then kill the old
> > > one that is still hanging around. You will see a line corresponding to
> > > port 179 that is likely in the TIME_WAIT stage or something similar.
> > > Clear this one with "clear tcp tcb #######".
> > >
> > > This happens with BGP and LDP because they both use TCP.
> > >
> > > On Mon, Aug 23, 2010 at 7:35 PM, masroor ali <masror.ali_at_gmail.com>
> > wrote:
> > > > hi,
> > > >
> > > > i am getting these logs even having same passwords on both sides, any
> > > idea
> > > > how to configure MD5 in BGP??
> > > >
> > > > %TCP-6-BADAUTH: No MD5 digest from 192.10.1.254(179) to
> > > 192.10.1.10(33278)
> > > > (RST)
> > > > --
> > > > Regards,
> > > > Masroor Ali
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > CCIEx2 (R&S|Sec) #19963
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com
> Sr. Technical Instructor
> YES! We take Cisco Learning Credits!
> Training And Remote Racks available
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Aug 24 2010 - 13:17:08 ART